Security issues on ArtChain


A website with a popup notification.

One of the problems with the BlockChain goldrush is that it attracts a lot of people who don't necessarily have the required technical skill to safely run a service. This in turn reduces trust in the ecosystem. I'd like to discuss ArtChain.info - "Certifying Art Using the Bitcoin Blockchain" - and the some of the […] Read More

Minimum Viable XSS


Here's a fun little game for all the family! What is the minimum number of characters required to perform a successful XSS attack? Let's take an entirely theoretical example - suppose we have a site which echos back user input without sanitising it. So a search for " <em>" turns the whole page italic. *ahem* […] Read More

Responsible Disclosure - XSS Flaw at LetsSaveMoney.com


Another day, another bug! LetsSaveMoney.com is a "money saving" site. It offers discounts on a wide range of products and services, and is financed through affiliate marketing. My Trade Union, Prospect, has just launched a white-labelled "Members' Rewards" based on LetsSaveMoney - that's how I came across this bug. It's a depressingly familiar story - […] Read More

Privacy and Security Flaw with CAB


The Citizens' Advice Bureaux have just released a real-time view of what people are searching for on its site. It's heartbreaking. Interesting new digital stuff emerging from @CitizensAdvice http://t.co/zvc0kcoj0A <-- uncomfortable, messy, visceral reality @mikedixonCAB — Tom Loosemore (@tomskitomski) October 21, 2014 who supplies my electricity why do some children become looked after will i […] Read More

The Unsecured State Part 1 - UK Parliament XSS Flaw (Disclosed & Fixed)


This is part 1 of a series of blog posts looking at the security of the UK Government's web infrastructure. The UK Parliament website is pretty great. It houses a huge amount of historical information, lets people easily see what's happening in the Commons and the Lords, and is run by some really clever people. […] Read More

Huffington Post UK XSS Flaw (Disclosed & Fixed)


The UK version of the Huffington Post was vulnerable to an XSS flaw. This allowed any malicious user to inject images, video, text, and JavaScript into the page. Although the above image show a very silly use of XSS, it could quite easily be used to craft a page to encourage journalists and readers to […] Read More

Mydex XSS Flaw (Disclosed & Fixed)


Ever heard of Mydex? Here's how they describe themselves: Mydex provides the individual with a hyper-secure storage area to enable them to manage their personal data, including text, numbers, images, video, certificates and sound. No-one but the individual can access or see the data. Not just secure, but hyper-secure! They've been signed up by the […] Read More